Analysis
-
max time kernel
148s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 16:23
Static task
static1
Behavioral task
behavioral1
Sample
OSCE-CUR1202069986.vbs
Resource
win7-20240508-en
General
-
Target
OSCE-CUR1202069986.vbs
-
Size
2.2MB
-
MD5
bafce37d28a61cc064beeb186de90d78
-
SHA1
0d2bc349c0da8f5a92df71e9cb34d92b4bb6e70c
-
SHA256
4a2e30d454a2c64df5eeea0a038d86dc0d230faf595efc7c9fc4773d083348a9
-
SHA512
9044e58359b2e1c9ecaa04807b3332bd654a34426047f71494ac74ecec56915a1278ec8a5c7648aa873985af919012ada47943c0b3eed030b5adf06e02cad040
-
SSDEEP
3072:opDhIAeifbWm7bDBuaQc1DAjTMTNoA5mky0S+/8Zi5XY+2h+/GOwmNLgR5btVVW7:oX8sBP0tmjoPJwbxYNWQcVZA2+vZ4qC
Malware Config
Extracted
dridex
104.131.41.185:443
178.62.75.204:1443
138.201.138.91:3389
62.75.191.14:3389
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2520 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4036 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WScript.exepid process 2548 WScript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2580 wrote to memory of 4036 2580 regsvr32.exe regsvr32.exe PID 2580 wrote to memory of 4036 2580 regsvr32.exe regsvr32.exe PID 2580 wrote to memory of 4036 2580 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OSCE-CUR1202069986.vbs"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\VozQAgGH.txt1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\VozQAgGH.txt2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RDgFsFhj.txt.zipFilesize
173KB
MD51a06a9ee708aedc9262e0deb92a6d96c
SHA19b19d73ae13951b7841f3d0df907c078a037e57b
SHA25652707f6fa67030ab19ff2c3ccac34fcb0ebdc82ef38a462980d28ffe785abe4f
SHA512869c5adc3e55aef45438113492343c5268c350c7bf32a1870d2b4db3d35ae500f69f916597a35888b17b0f3760c613b10a946a92f6527626181be3893a16721a
-
C:\Users\Admin\AppData\Local\Temp\VozQAgGH.txtFilesize
234KB
MD5dcc0d174cb7fec609f31c0f95347f913
SHA1d77a6c10f9538ccd630d437390e69471cbc3cebb
SHA25656b8f57264cd5747a3282754601387cf860eab9c18d1c14bcdd6074c88c5a0e0
SHA512d626c4a4b42d7ffd68fb2433943e3657add9ac69f13ec2dd6233ee58ea041179c8a2795212baeb895f56f9c04a2a66035652ca24f0d0eff127ee2d06187924e0
-
memory/4036-25-0x0000000074EF0000-0x0000000074F42000-memory.dmpFilesize
328KB
-
memory/4036-26-0x0000000074F2B000-0x0000000074F2E000-memory.dmpFilesize
12KB
-
memory/4036-27-0x0000000074EF0000-0x0000000074F42000-memory.dmpFilesize
328KB